I recently published an article about using CAT.NET security scanner on your .NET web application. Once you get it running, it’s fairly simple to integrate it into your continuous integration process.
Our strategy here will be to use a down-stream job in Hudson to run static security analysis on our application build after the main compilation/packaging job completes. For this, we will use a “build other projects” post-build trigger, then set up a scanning job that uses a uses a custom workspace pointing to the original build location.
- First, install the 64-bit command-line version of CAT.NET from my original post (see above). In my case, I installed it in C:\SecureCI\CAT.NET64.
- Next, set up your job:
- Create a free-form job called “App-Analyze”
- Use the Advanced project options button to display additional project configuration options
- Use the “Use Custom Workspace” check box to enter the workspace of the ORIGINAL build project that was built.
- Enter a new Build step for “Execute Windows batch command”
:: Run CAT.NET on MyApp CD %WORKSPACE%\trunk set PATH=C:\SecureCI\CAT.NET64;%PATH% set DLL=MyApp\obj\Debug\MyApp.dll CatNetCmd64.exe /file:MyApp\obj\Debug\MyApp.dll /verbose:Debug /report:MyApp.AnalysisReport.xml /reportxsloutput:MyApp.Report.html
- Use the “Archive the artifacts” plug-in to capture the following patterns: “**/*.Report.html, **/*.AnalysisReport.xml”
- Save your job
That’s it. Run your job. It should scan the DLL you listed and capture a Report.html and AnalysisReport.xml file. The HTML report shows a browser-compatible version of your results that you can easily browse from the Hudson UI. The XML file is useful if you want to use the CAT.NET 32-bit GUI to inspect the results in Visual Studio.